Simple Smb Scanner written in Bash for linux for newer systems with zmap support
smbscan-1.2.tar.gz
(Download all) for new systems (2015) with zmap and so on
– added zmap support
– replaced smbmount with mount
– removed dialog an whiptail

#!/bin/bash
# This script scans smb servers a given network
# and mounts anonymous shared directories
# example: ./smbscan.sh or ./smbscan iprange
# http://www.bastardo.de/ 

# clean old temp files
rm -f *.out

if [ `id -u` -ne 0 ]; then
  echo "You must be root to use this script."
  exit 1
fi

FILESYSTEM=cifs
MNT=/bin/mount
SMBC=/usr/bin/smbclient
NMBL=/usr/bin/nmblookup
NMAP=/usr/bin/nmap
GREP=/bin/grep
SED=/bin/sed
ZMAP=/usr/sbin/zmap
CHARSET="iso8859-1"
TIMEOUT=2
usage() { echo "Usage: $0 [-z number of hosts (zmap)] [-n ip/range (nmap)]" 1>&2; exit 1; }

while getopts "n:z:" opt; do
  case "$opt" in
    n)
      echo "using nmap with ${OPTARG}" >&2
      NMAPSCAN=1
      test -x $NMAP || { echo -e 'nmap not found !';exit 1; }
      IP=${OPTARG}
      ;;
    
    z)
      echo "using zmap with ${OPTARG} hosts" >&2
      ZMAPSCAN=1
      test -x $ZMAP || { echo -e 'zmap not found !';exit 1; }
      z=${OPTARG}
      ;;
    h)
      echo "Invalid option: -$OPTARG" >&2
      usage
      ;;
    *)
      echo "Option -$OPTARG requires an argument. " >&2
      usage
      exit 1
      ;;
  esac

done

if [ -z $ZMAPSCAN ] && [ -z $NMAPSCAN ]; then
   usage
fi

shift $((OPTIND-1))


test -x $MNT || { echo -e 'mount not found !';exit 1; }
test -x $SMBC || { echo -e 'smbclient not found !';exit 1; }
test -x $NMBL || { echo -e 'nmblookup not found !';exit 1; }
test -x $GREP || { echo -e 'grep not found !';exit 1; }
test -x $SED || { echo -e 'sed not found !';exit 1; }


function check_it(){
SUM=0
X=`cat ./out | wc -c`
SUM=`expr $SUM + $X`
}
        echo "Written by cd ;)"
        echo "Scan started against to $1 on port 139"
        echo "This can take a while"


if [ "$NMAPSCAN" = 1 ] 
    then
          echo "search via nmap at ip/range ${n} for hosts who has opened port 139"
      $NMAP -p 139 -PN -T 5 -sT -v -v $IP  -oG ./$IP.out | $GREP Host
      cat ./$IP.out | $GREP "139/open" | cut '-d ' -f 2 > ./out
else
          echo "search via zmap for ${z} hosts who has opened port 139"
      $ZMAP -N ${z} -p 139 -B 1M -q -o ./out 
          sed -i '1d' ./out #delete first line "saddr" for csv
fi
shift $((OPTIND-1))

    
rm -f ./$IP.out
check_it

if [ $SUM = 0 ]
    then 
    echo "Sorry
    No SMB Server found !
        
      Thanks for use ... "
   rm -f ./out
   exit 1
fi

    echo "Please wait...
      Searching 4 Shared Directories"
while read host ;
    do
    # Get Computer name
    echo "Try $host..."
        echo "Searching Name via nmblookup (B)"
    name=`$NMBL -A $host | $GREP "<00> -         B <ACTIVE>" | awk '{print $1}'`

    # Get Workgroup name
    workgroup=`$NMBL -A $host | $GREP "<00> - <GROUP>" | awk '{print $1}'`

    # if name not set so use this one
    workgroup=${workgroup:=WORKGROUP}

    name=${name:=IG_IT_IG_IT}

if [ $name = "IG_IT_IG_IT" ]
    then
    echo "Searching name via nmblookup (M)"
    name=`$NMBL -A $host | $GREP "<00> -         M <ACTIVE>" | awk '{print $1}'`
    fi 
    name=${name:=NONAME}

if [ $name = "NONAME" ]
    then
    echo "Searching Name via nmblookup (H)"
    name=`$NMBL -A $host | $GREP "<00> -         H <ACTIVE>" | awk '{print $1}'`
    fi
    name=${name:=NO_NAME}

if [ $name = "NO_NAME" ]
    then
    echo "Searching Name via Smbclient ... using Servername"
    name=`$SMBC -N -L $host -g | grep Server | awk {'print $1'} | cut -d '|' -f 2`
    fi
    name=${name:=NAME_NOT_FOUND}


    
    # search for shared folders
    echo "looking for shared directorys on $host"
    # kill old sleep process
    kill -9 `pidof sleep` 2&>1
    $SMBC -W "$workgroup" -n "fuckup" -N  -L $host -g -p 139 | grep Disk | cut -f 2 -d '|'  > ./$host.shares 
        # set Timeout to kill connections that take to long 10 sec is ok i think
    sleep $TIMEOUT || kill -9 `pidof $SMBC` 2&>1
        
        exist=0
        while read LIST ;
                do
            exist=1
            #make directory for the shares
            mkdir -p ./"$name-$host/$LIST"
            #add a logfile
            #touch ./"$name-$host/ip-is-$host"
                    $MNT -t cifs -o guest,iocharset=utf8,_netdev //$host/$LIST ./$name-$host/$LIST
                    $MNT -t cifs -o user=nobody,iocharset=utf8,_netdev //$host/$LIST ./$name-$host/$LIST
                    $MNT -t nfs $host:/$LIST ./$name-$host/$LIST


        echo "trying to mount //$host/$LIST into ./$name-$host/$LIST"
        if [ $exist = 1 ]
        then
            #write some useful or not very useful informations into a log 
            echo " 
            $name - $host
            Last found: `date`
            Mapped    : `df -h | grep $host`" >> ./"$name-$host/ip-is-$host" 
        fi
        done < ./$host.shares

rm -f ./$host.shares
done < ./out

mount | $GREP $FILESYSTEM > ./mounts
    echo "
SMBScan v 1.2 -> listing mounted smb file systems

`cat ./mounts | more`
"
rm -f ./mounts
rm -f ./out

umountall.sh

#!/bin/sh
#get forced
echo "unmounting smb file systems (force)"
umount -f */*